Gawker reported earlier this week that David Barksdale, a 27-year-old Google engineer used his internal clearances to access users' accounts, including the information of four minors. "It's unclear how widespread Barksdale's abuses were," says Gawker, "but in at least four cases, Barksdale spied on minors' Google accounts without their consent, according to a source close to the incidents. In an incident this spring involving a 15-year-old boy who he'd befriended, Barksdale tapped into call logs from Google Voice, Google's Internet phone service, after the boy refused to tell him the name of his new girlfriend, according to our source. After accessing the kid's account to retrieve her name and phone number, Barksdale then taunted the boy and threatened to call her."
A Question of Trust
As creepy (and criminal) as this incident is, more troubling, perhaps, is this quotation in the Gawker article from another former Google employee, who says that Site Reliability Engineers like Barksdale have unfettered access to users' accounts for the services they oversee: "The company does not closely monitor SREs to detect improper access to customers' accounts because SREs are generally considered highly-experienced engineers who can be trusted, the former Google staffer said."
Google has confirmed the story and has fired Barksdale, but won't discuss the case in detail. In a press statement, Google says that "We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls-for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective."
What Oversights Are in Place?
On one hand, these sorts of incidents can happen anywhere. Security breaches are threats in any organization. But of course, on the other hand, this is Google, a company that has access to an incredible amount of our personal data. Google is making great strides in moving governments and schools to the cloud, both groups bringing with them unique rules and regulations (such as COPPA) about the protection of private information.
The incident also reflects on the steps that may need to be taken to address not just internal security threats, but those threats to one's cloud service provider. Gartner's Neil MacDonald writes today that cloud providers should be held to a standard that's even higher than those required to maintain internal standards and integrity because in the cloud "the impact of the lapse [in security] is magnified."
MacDonald points to the Cloud Security Alliance's Cloud Controls Matrix as one resource for thinking through some of the considerations for developing better security standards. And while the firing of the Google engineer may be simply a bad PR incident for Google ("Have fun explaining this to parents" as schools transition to Google Apps, writes Funny Monkey's Bill Fitzgerald), it does raise the spectre once again for cloud computing that it's somehow a less secure IT solution.